PCI-DSS Compliance

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements developed by the Payment Card Industry Security Standards Council to provide a set of consistent security measures for merchants handling credit card transactions.

The standard includes 12 requirements for maintaining a secure operation:

Maintain an Information Security Policy

Reporting Compliance

PCI compliance reports are typically enforced by your payment processor. They will require that you fill out a certification report known as the Self Assessment Questionnaire (SAQ). The Self Assessment Questionnaire is a checklist that e-commerce website owners and operators must fill out to attest to their compliance with the standards.

Many different service providers and software come in to play in meeting PCI compliance. Shopping cart software that is marketed as PCI certified refers to PA-DSS certification (Payment Application Data Security Standard). This allows merchants to fill out several questions in the SAQ quickly and easily because the shopping cart has already certified compliance in the areas it is responsible for.

Shopp & PCI Compliance

Shopp is not a PA-DSS certified shopping cart. However, that does not mean your website cannot certify as PCI compliant.

Shopp helps merchants meet the requirements of the PCI DSS by design. Shopp regularly passes the McAfee SECURE Scan for PCI compliance when installed in a web hosting environment meets the PCI DSS requirements. To help with PCI certification, Ingenesis Limited has partnered with McAfee to provide PCI scanning services that will (similar to PA-DSS certified carts) help complete several of the checkpoints in the Self Assessment Questionnaire. To signup for PCI scanning service at a deeply discounted rate (over 70% off the regular price), see http://shopplugin.net/pci

It should be noted, that many of the requirements of the standard are outside the scope and ability of what Shopp can take care of. Instead the requirements are the responsibility of the web hosting provider or business policies that the website owner and operator must enact.

Below is a quick cross-reference of what Shopp does (or does not do) to help merchants meet the requirements of the PCI DSS:

Requirement 1: Outside of Shopp’s capability. Firewall configuration is a responsibility of your hosting provider’s network administrator. Ask your hosting provider to see if they can help you certify that this requirement is met.

Requirement 2: Outside of Shopp’s capability. This requirement should guide you in setting your system passwords and other security parameters. Your hosting provider may be able to assist you in setting secure system parameters for your site.

Requirement 3: Shopp assists with this requirement by never storing full card and cardholder data. Specifically, Shopp only stores the last 4 digits of the card’s PAN (Primary Account Number), the card expiration date and the card holder’s name. By design Shopp does not even have the capability to store more than 4 digits of the PAN, and does not have the capability to store CVV or CVV2 numbers.

Requirement 5: Outside of Shopp’s capability. Antivirus protection on your site’s hosting server is a responsibility of your hosting provider. You may inquire with your hosting provider about certifying this requirement.

Requirement 6: Outside of Shopp’s capability. It is the responsibility of network and hosting system technicians to use secure hardware and software and keep them updated to address security threats. You may inquire with your hosting provider about certifying this requirement.

Requirement 7: Shopp assists with this requirement by using the WordPress account system for administrative access. It then becomes the responsibility of the website owner to keep access confidential. Many hosting providers can assist you in setting properly secured WordPress account names and passwords.

Requirement 8: Outside of Shopp’s capability. Your hosting provider can assist you in limiting access to the system hosting your site. As the merchant, you should limit access to this information to only critical personnel.

Requirement 9: Outside of Shopp’s capability. Physical access to sensitive data stored on and transmitted to your site should be restricted by your hosting provider, however because the merchant bears the chief responsibility of protecting this data, exercise care when selecting a trusted hosting provider.

Requirement 10: Outside of Shopp’s capability. System access attempts to your site should be monitored by your hosting provider. You may inquire with your hosting provider about certifying this requirement.

Requirement 11: Outside of Shopp’s capability. Performing regular security systems tests is a responsibility of the website owner. Employing a service such as McAfee SECURE Scan, as mentioned above, can help meet this requirement.

Requirement 12: Outside of Shopp’s capability. Maintaining a policy that addresses information security is a responsibility of the website owner.